Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5cdf36e5453f1ffe2bb74f50e164cfcae00ee072
homelab-optimized/archive/joplin/02-Port-Forwarding-Configuration.md
Gitea Mirror Bot 5cdf36e545
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details
Sanitized mirror from private repository - 2026-04-05 12:11:15 UTC
2026-04-05 12:11:15 +00:00

17 KiB
Raw Blame History

🔌 Port Forwarding Configuration

🟡 Intermediate Infrastructure Guide

This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services with automatic DDNS updates every 5 minutes.

🌐 Automatic Domain Updates
All domains are automatically updated via Cloudflare DDNS every 5 minutes, eliminating the need for manual IP management.

🔧 Current Port Forwarding Rules

Based on the TP-Link Archer BE800 router configuration:

📊 Active Port Forwards Summary

Service Name Device IP External Port Internal Port Protocol Domain Access
jitsi3 192.168.0.200 4443 4443 TCP meet.thevish.io:4443
stun3 192.168.0.200 5349 5349 All meet.thevish.io:5349
stun2 192.168.0.200 49160-49200 49160-49200 All meet.thevish.io (RTP)
stun1 192.168.0.200 3478 3478 All meet.thevish.io:3478
gitea 192.168.0.250 2222 2222 All git.vish.gg:2222
portainer2 192.168.0.200 8000 8000 All pw.vish.gg:8000
portainer2 192.168.0.200 9443 9443 All pw.vish.gg:9443
portainer2 192.168.0.200 10000 10000 All pw.vish.gg:10000
Https 192.168.0.250 443 443 All vish.gg:443
HTTP 192.168.0.250 80 80 All vish.gg:80

🎯 Service Dependencies & External Access

🎥 Jitsi Meet Video Conferencing (192.168.0.200 - Atlantis)

External Access URLs

https://meet.thevish.io:4443  # Primary Jitsi Meet web interface
https://meet.vish.gg:4443     # Alternative domain access

Required Port Configuration

Port Protocol Purpose Critical
4443 TCP HTTPS web interface Essential
5349 All TURN server for NAT traversal Essential
3478 All STUN server for peer discovery Essential
49160-49200 All RTP media streams (40 port range) Essential

Service Dependencies

# WebRTC Media Flow
Internet → Router:4443 → Atlantis:5443 → jitsi-web:443
Internet → Router:3478 → Atlantis:3478 → STUN server
Internet → Router:5349 → Atlantis:5349 → TURN server
Internet → Router:49160-49200 → Atlantis:49160-49200 → RTP streams

# All 4 port ranges required for full functionality:
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls
- HTTPS interface provides web-based meeting access

📝 Gitea Git Repository (192.168.0.250 - Calypso)

External Access URLs

# SSH Git Operations
ssh://git@git.vish.gg:2222

# Web Interface
https://git.vish.gg

# Git Commands
git clone ssh://git@git.vish.gg:2222/username/repo.git
git remote add origin ssh://git@git.vish.gg:2222/username/repo.git
git push origin main

Port Configuration

Port Protocol Purpose Authentication
2222 All SSH access for Git operations SSH Keys Required

Service Dependencies

# SSH Git Access Flow
Internet → Router:2222 → Calypso:2222 → gitea:22

# Requirements:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks
- Web interface accessible via reverse proxy on port 443

🐳 Portainer Container Management (192.168.0.200 - Atlantis)

External Access URLs

https://pw.vish.gg:9443      # Primary Portainer HTTPS interface
https://vish.gg:9443         # Alternative domain access
https://pw.vish.gg:8000      # Edge Agent communication
https://pw.vish.gg:10000     # Additional services

Port Configuration

Port Protocol Purpose Security Level
9443 All Primary HTTPS interface 🔒 High
8000 All Edge Agent communication ⚠️ Medium
10000 All Extended functionality ⚠️ Medium

Service Dependencies

# Container Management Flow
Internet → Router:9443 → Atlantis:9443 → portainer:9443
Internet → Router:8000 → Atlantis:8000 → portainer:8000
Internet → Router:10000 → Atlantis:10000 → portainer:10000

# All three ports required for full Portainer functionality:
- 9443: Primary HTTPS interface for web management
- 8000: Edge Agent enables remote Docker management
- 10000: Extended functionality and additional services

🌍 Web Services (192.168.0.250 - Calypso)

External Access URLs

https://vish.gg              # Main web services (HTTPS)
https://www.vish.gg          # WWW subdomain
http://vish.gg               # HTTP (redirects to HTTPS)

# Additional Cloudflare Proxied Services:
https://cal.vish.gg          # Calendar service
https://reddit.vish.gg       # Reddit alternative
https://matrix.thevish.io    # Matrix chat server
https://joplin.thevish.io    # Joplin notes
https://www.thevish.io       # Alternative main domain

Port Configuration

Port Protocol Purpose Redirect
443 All HTTPS web services Primary
80 All HTTP (redirects to HTTPS) → 443

Service Dependencies

# Web Services Flow
Internet → Router:443 → Calypso:443 → nginx:443
Internet → Router:80 → Calypso:80 → nginx:80 → redirect to 443

# Requirements:
- Reverse proxy (Nginx) on Calypso handles routing
- SSL/TLS certificates for HTTPS (Let's Encrypt)
- Automatic HTTP to HTTPS redirection
- Cloudflare proxy protection for some subdomains

🏠 Host Mapping & Service Distribution

📊 Services by Host

Host IP Address Services Port Forwards Primary Function
Atlantis 192.168.0.200 45 services 4 forwards Jitsi Meet, Portainer
Calypso 192.168.0.250 38 services 3 forwards Gitea SSH, Web Services

🔌 Port Forward Distribution

Atlantis (192.168.0.200)

  • Jitsi Meet Video Conferencing: 4 port forwards
    • 4443/TCP: HTTPS web interface
    • 5349/All: TURN server
    • 49160-49200/All: RTP media (40 ports)
    • 3478/All: STUN server
  • Portainer Container Management: 3 port forwards
    • 9443/All: HTTPS interface
    • 8000/All: Edge Agent
    • 10000/All: Additional services

Calypso (192.168.0.250)

  • Gitea Git Repository: 1 port forward
    • 2222/All: SSH Git access
  • Web Services: 2 port forwards
    • 443/All: HTTPS web services
    • 80/All: HTTP (redirects to HTTPS)

🔒 Security Analysis & Risk Assessment

High Security Services

Service Port Security Features Risk Level
HTTPS Web (443) 443 Encrypted traffic, reverse proxy protected 🟢 Low
Jitsi Meet (4443) 4443 Encrypted video conferencing, HTTPS 🟢 Low
Portainer HTTPS (9443) 9443 Encrypted container management 🟢 Low

⚠️ Medium Security Services

Service Port Security Considerations Recommendations
Gitea SSH (2222) 2222 SSH key authentication required Monitor access logs
Portainer Edge (8000) 8000 Agent communication, should be secured Implement IP restrictions
HTTP (80) 80 Unencrypted, should redirect to HTTPS Verify redirect works

🔧 Network Services

Service Ports Protocol Type Security Notes
STUN/TURN 3478, 5349 Standard WebRTC protocols Industry standard, encrypted by Jitsi
RTP Media 49160-49200 Media streams Encrypted by Jitsi, 40 port range

🛡️ Security Recommendations

Authentication & Access Control

# 1. Strong Authentication
- SSH keys for Gitea (port 2222) - disable password auth
- 2FA on Portainer (port 9443) - enable for all users
- Strong passwords on all web services
- Regular credential rotation

# 2. Access Monitoring
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity
- Log SSH access attempts on port 2222

# 3. Network Security
- Consider IP whitelisting for admin services
- Implement rate limiting on web interfaces
- Use VPN (Tailscale) for administrative access
- Regular security updates for all exposed services

Service Hardening

# 4. Service Security
- Keep all exposed services updated
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning
- Regular backup of service configurations

# 5. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services
- Monitor inter-service communication

🌐 External Access Methods & Alternatives

🔌 Primary Access (Port Forwarding)

# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443          # Portainer
https://meet.thevish.io:4443     # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222       # Gitea SSH

# Alternative domain access
https://vish.gg:9443             # Portainer (main domain)
https://meet.vish.gg:4443        # Jitsi Meet (alt domain)
https://www.vish.gg              # Main web services (HTTPS)
https://vish.gg                  # Main web services (HTTPS)

# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg              # Calendar service (proxied)
https://reddit.vish.gg           # Reddit alternative (proxied)
https://www.thevish.io           # Alternative main domain (proxied)
https://matrix.thevish.io        # Matrix chat server (proxied)
https://joplin.thevish.io        # Joplin notes (proxied)

🔗 Alternative Access (Tailscale VPN)

# Secure mesh VPN access (recommended for admin)
https://atlantis.tail.vish.gg:9443   # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443   # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222  # Gitea via Tailscale

# Benefits of Tailscale access:
- No port forwarding required
- End-to-end encryption
- Access control via Tailscale ACLs
- No exposure to internet threats

🔄 Hybrid Approach (Recommended)

# Public Services (External Access)
- Jitsi Meet: External users need direct access
- Web Services: Public content via port forwarding
- Git Repository: Public repositories via HTTPS

# Admin Services (Tailscale Access)
- Portainer: Container management via VPN
- Gitea Admin: Administrative functions via VPN
- Monitoring: Grafana, Prometheus via VPN

🔄 Dynamic DNS (DDNS) Configuration

🌐 Automated DDNS Updates

# Cloudflare DDNS Configuration
- Update Frequency: Every 5 minutes
- Domains: vish.gg and thevish.io
- Record Types: IPv4 (A) and IPv6 (AAAA)
- Automation: 4 DDNS services running

# DDNS Services:
- ddns-vish-proxied: Updates proxied A records for vish.gg
- ddns-vish-unproxied: Updates DNS-only A records for vish.gg
- ddns-thevish-proxied: Updates proxied records for thevish.io
- ddns-thevish-unproxied: Updates DNS-only records for thevish.io

📊 Service Categories

# Proxied Services (Cloudflare Protection)
- cal.vish.gg, reddit.vish.gg, www.vish.gg
- matrix.thevish.io, joplin.thevish.io, www.thevish.io
- Benefits: DDoS protection, caching, SSL termination

# DNS-Only Services (Direct Access)
- git.vish.gg, meet.thevish.io, pw.vish.gg
- api.vish.gg, spotify.vish.gg
- Benefits: Direct connection, no proxy overhead

🚨 Troubleshooting & Diagnostics

🔍 Common Issues & Solutions

Service Not Accessible Externally

# Diagnostic Steps:
1. Verify port forward rule is enabled in router
2. Confirm internal service is running on host
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed
6. Test DNS resolution: nslookup domain.com

# Commands:
docker-compose ps                    # Check service status
netstat -tulpn | grep PORT         # Verify port binding
nmap -p PORT domain.com             # Test external access
curl -I https://domain.com          # HTTP connectivity test

Jitsi Meet Connection Issues

# WebRTC requires all ports - test each:
nmap -p 4443 meet.thevish.io        # Web interface
nmap -p 3478 meet.thevish.io        # STUN server
nmap -p 5349 meet.thevish.io        # TURN server
nmap -p 49160-49200 meet.thevish.io # RTP range

# Browser diagnostics:
1. Open browser developer tools
2. Go to Network tab during call
3. Look for STUN/TURN connection attempts
4. Check for WebRTC errors in console
5. Test with different networks/devices

Gitea SSH Access Problems

# SSH troubleshooting steps:
ssh -p 2222 git@git.vish.gg        # Test SSH connection
ssh-add -l                         # Check loaded SSH keys
cat ~/.ssh/id_rsa.pub              # Verify public key
nmap -p 2222 git.vish.gg           # Test port accessibility

# Gitea-specific checks:
docker-compose logs gitea | grep ssh
# Check Gitea SSH configuration in admin panel
# Verify SSH key is added to Gitea user account

Portainer Access Issues

# Test all Portainer ports:
curl -I https://pw.vish.gg:9443    # Main interface
curl -I https://pw.vish.gg:8000    # Edge Agent
curl -I https://pw.vish.gg:10000   # Additional services

# Container diagnostics:
docker-compose logs portainer
docker stats portainer
# Check Portainer logs for authentication errors

🔧 Performance Optimization

Network Performance

# Monitor bandwidth usage:
iftop -i eth0                      # Real-time bandwidth
vnstat -i eth0                     # Historical usage
speedtest-cli                      # Internet speed test

# Optimize for concurrent users:
# Jitsi: Increase JVB memory allocation
# Gitea: Configure Git LFS for large files
# Portainer: Increase container resources

Service Performance

# Resource monitoring:
docker stats                       # Container resource usage
htop                              # System resource usage
df -h                             # Disk space usage

# Service-specific optimization:
# Jitsi: Configure for expected concurrent meetings
# Nginx: Enable gzip compression and caching
# Database: Optimize PostgreSQL settings

📋 Maintenance & Configuration Management

🔄 Regular Maintenance Tasks

Monthly Tasks

# Security and monitoring:
□ Review access logs for all forwarded services
□ Test external access to all forwarded ports
□ Update service passwords and SSH keys
□ Backup router configuration
□ Verify DDNS updates are working
□ Check SSL certificate expiration dates

Quarterly Tasks

# Comprehensive review:
□ Security audit of exposed services
□ Update all forwarded services to latest versions
□ Review and optimize port forwarding rules
□ Test disaster recovery procedures
□ Audit user accounts and permissions
□ Review and update documentation

Annual Tasks

# Major maintenance:
□ Complete security assessment
□ Review and update network architecture
□ Evaluate need for additional security measures
□ Plan for service migrations or updates
□ Review and update disaster recovery plans
□ Comprehensive backup and restore testing

📊 Configuration Backup & Documentation

Router Configuration

# TP-Link Archer BE800 backup:
- Export configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons
- Store backup files securely
- Test configuration restoration procedures

Service Health Monitoring

# Automated monitoring setup:
- Uptime monitoring for each forwarded port
- Health checks for critical services
- Alerts for service failures
- Performance metrics collection
- Log aggregation and analysis

🔗 Integration with Homelab Infrastructure

🌐 Tailscale Mesh Integration

# Secure internal access alternatives:
https://atlantis.tail.vish.gg:9443   # Portainer
https://atlantis.tail.vish.gg:4443   # Jitsi Meet
ssh://git@calypso.tail.vish.gg:2222  # Gitea SSH

# Benefits:
- No port forwarding required for admin access
- End-to-end encryption via WireGuard
- Access control via Tailscale ACLs
- Works from anywhere with internet

📊 Monitoring Integration

# Service monitoring via Grafana/Prometheus:
- External service availability monitoring
- Response time tracking
- Error rate monitoring
- Resource usage correlation
- Alert integration with notification services

🔄 Backup Integration

# Service data backup:
- Gitea repositories: automated Git backups
- Portainer configurations: volume backups
- Jitsi recordings: cloud storage sync
- Web service data: regular file system backups

Last Updated: 2025-11-17
Active Port Forwards: 10 rules across 2 hosts
External Domains: 12 with automatic DDNS updates
DDNS Update Frequency: Every 5 minutes via Cloudflare
Security Status: All services monitored and hardened

Reference in New Issue View Git Blame Copy Permalink